Manualshelf

HP FutureSmart - FutureSmart configuration changes for Microsoft channel binding and LDAP signing requirements for Windows (white paper)

ManualsBrandsHP ManualsDesktopsHP PageWide Managed Color MFP E77660dn - Bundle Product 60 ppm
12345678
2
Introduction
Microsoft release a security advisory
1
in August 2019 providing guidance to increase security for communications
between LDAP clients and Active Directory domain controllers. Unsafe default configurations for LDAP channel binding
and LDAP signing exist on Active Directory domain controllers. See Microsoft Advisory “ADV190023 - Microsoft Guidance
for Enabling LDAP Channel Binding and LDAP Signing” for additional information.
On March 10
th
, 2020 Microsoft will include options to harden LDAP communications on Active Directory domain
controllers in the March windows update. These include a new group policy object for LDAP channel binding and new
event codes for LDAP signing and LDAP channel binding in the event viewer.
Important: The March 10, 2020 updates do not change LDAP signing or LDAP channel binding default policies or their
registry equivalents on new or existing Active Directory domain controllers.
Detailed Description
The recommended LDAP security hardening guidance recommended in ADV 190023
1
is managed through two registry
settings.
LDAPServerIntegrity” registry setting:
When enabled the server will
o Reject LDAP simple binds on clear text (non-SSL encrypted) connections
o Reject Simple Authentication Security Layer (SASL) LDAP binds that do not request signing (integrity
verification)
Group Policy Setting
Registry Setting
None
1 (default)
Require Signing
2
LdapEnforceChannelBinding” registry setting
When enabled the server will
Reject authentication requests that do not include channel binding tokens (CBT) that provide channel binding
information to the server
Group Policy Setting
Registry Setting
Never
0 (default)
When Supported
1 (compatibility mode)
Always
2
HP FutureSmart Printer Configuration Changes
The following configuration changes are needed when enabling the LDAP hardening recommendations from Microsoft.
! A Certificate of Authority (CA) certificate and corresponding intermediate certificates (if required) will need to be
installed into the printer certificate store to validate the Active Directory server public certificate. This CA certificate is
required to be able to use TCP port 636 for Windows authentication and LDAP queries over an encrypted SSL connection.
1. Obtain a CA certificate for the Active Directory server by contacting your IT server administrator.